I have a virtual pen-testing lab. My host is win7. I installed BT5 and WinXP in Vmware. Host has 192.168.2.1, BT5: 192.168.2.2 and XP:192.168.2.3When i ping from host machine and BT5 to WinXP, all packets are lost. But when a send ping packets from WinXP to Bt5 and Host machine, there is not any problem.So what's the possible problem for you?

I know that if there is not any open port then you can't hack a system via it's ip address but i didn't know that ping packets get lose because of stealth ports and windows firewall blocks ping packets.

I would rather call his statement, his methodology A good way to start pentesting your own boxes locally, is to obtain a methodology if you don't have any, as most pentesting companies doesn't just fire all canons and hope they find something, well, some do, but most (should) be following either a recognized methodology or an internal one.

There's a few methodologies out there such as NIST SP800-42 (it is somewhat outdated but easy to read), OSSTMM (very generic), and PTES (pentest-standard.org, not sure how far this project is in becoming final or first draft), but I recommend you (Schiz0id) check out pentest methodologies / frameworks and learn a bit more about networking and firewalls

Note - that methodology is for learning. I wouldn't necessarily 'fire all cannons', as MaXe pointed out, in a full, REAL pentest (I might, but it depends on the cirumstance.)

But for your purposes of learning, and based on your simply trying to learn to exploit the box in you lab, in general, I'd be following what I told you.

PS - @Shock - just curious... How did Python get brought into that mix? I never said, "I'd do it all in Python" Yes, I'd use Python to script some of my processes, etc, or even to write some testing-specific tools, but for just the general stuff, the original poster was asking, I didn't see Python slipping in there (at least not YET ;) ) Or are you just learning to write your own stuff, so that came to mind?

Last edited by hayabusa on Sun Oct 28, 2012 6:49 pm, edited 1 time in total.

~ hayabusa ~

"All men can see these tactics whereby I conquer, but what none can see is the strategy out of which victory is evolved." - Sun Tzu, 'The Art of War'

hayabusa wrote:Note - that methodology is for learning. I wouldn't necessarily 'fire all cannons', as MaXe pointed out, in a full, REAL pentest (I might, but it depends on the cirumstance.)

I agree that I shouldn't limit myself to a single methodology, but I do use an internal methodology to avoid missing items / attack vectors when I have 100 or more items to test for.

It may sound extreme, but we (the company I work for) try to cover all possible attack vectors, so we don't go as deep as it could otherwise be possible, but the attack surface is limited quite a lot (if the customer remediates all the flaws identified), when all of the services are up to date and configured in line with security best practice. Well, it's just my point of view from a "corporate point of view". (It is after all, much more fun to study a service, fuzz it locally and try to develop an exploit for it.)

I don't use a methodology as the only option though, I usually poke around manually while running the scanners (that must be run anyway, which usually finds all the low hanging fruit), and after that (the automated scans and manually poking around), I go through the methodology (i.e. checklists) to see if I missed anything as I sometimes encounter technology I haven't been exposed to yet, which there usually is a (internal) methodology for.

When it comes to web applications I don't use a methodology though, as even though some attacks can be quite advanced, it's a lot easier to keep the entire methodology of web application pentesting in the mind than with network pentesting, where everything from routing to exploitation of services must be done.

Of course, it depends on how "deep" the client permits you to go, as I am often not allowed to use Social Engineering attacks (meaning all client-side attacks are not allowed, unfortunately ), plus intentional DoS attacks too (which doesn't add any value to the business if you do it on their production equipment during business hours, even though it shouldn't be possible to DoS them with a single computer).

tl;drI just try to cover as much as possible by using methodologies when I am unsure whether I tested everything humanly possible (I should begin to script some of the work I do though, as a lot of the items from the methodology I use could be scripted and save a lot of time. ) And yeah I still agree with hayabusa of course

I know that if there is not any open port then you can't hack a system via it's ip address but i didn't know that ping packets get lose because of stealth ports and windows firewall blocks ping packets.

Obviously i have to spend a lot time here to learn something.

Regards.

Its always good to get a decent understanding of the systems you are working on. If you float through many of the "How do I become a pen tester..." type threads, you will see many pointing beginners toward books on networking and such. After all, your first steps in getting ready to do a test will be centered around recon. The first chunk should be checking out the internet presence of the target. Most of this will be passive activity like google searching, DNS Records, web sites, and social network activity. Then you move in for some network enumeration. In a strongly defended environment you will have to try and work past client based firewalls and other security measures. Just because something isn't pingable by normal methods, doesn't mean it isn't online.

hayabusa wrote:PS - @Shock - just curious... How did Python get brought into that mix? I never said, "I'd do it all in Python" Yes, I'd use Python to script some of my processes, etc, or even to write some testing-specific tools, but for just the general stuff, the original poster was asking, I didn't see Python slipping in there (at least not YET ;) ) Or are you just learning to write your own stuff, so that came to mind?

Mostly learning from classwork (just the basics though so nothing sexy) and seeing the If statements in your post tripped my mind back into python programming mode.